Don,
I can't seem to get Range=0-* to return anything. The best I have been
able to do is query Range=0-1499, or another combination that is less
then the total number of members (1658).
I did try $entry->dump which did show me all the attributes of that
objects but I really need a way to recursively query AD until I get
all members of the groups. My email to Glenn and the list shows the
code I am using. but just in case:
unless (@members) {
$size = 1500;
$first = 0;
while (1) {
$last = $first + $size -1;
@tmp =
$entry->get_value("member;Range=${first}-${last}");
unless (@tmp) {
@tmp =
$entry->get_value("member;Range=${first}-*");
unless (@tmp) {
last;
}
}
push @members, @tmp;
$first += $size;
}
}
This is getting frustrating...
On 12/12/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
Megan, when I was doing testing with this I noticed there was some type
of caching occuring with the requests. I waited a while and since then
I have been able to use the member;Range=0-* for every size group (use
it in both the attr list and get_value). It would be a good idea to
check for the existance of other ranges in the return set.
As for your comment on get_value("member"). This is where you want to
use "member;Range=0-999" when you have just "member" in the attribute
list, not vice versa. If you use $entry->dump you will see what the
object contains in a nice readable form.
Don
use Net::LDAP;
my $ad_ldap = Net::LDAP->new('server');
my $error = $ad_ldap->bind('dn', password => 'pass');
my $group_search = undef;
$group_search = $ad_ldap->search(
'base' => 'dc=contoso,dc=msft',
'filter' => "(&(objectClass=group)(samaccountname=mygroup))",
'attrs' => [ 'samaccountname', 'member;Range=0-*' ]
);
die if ($group_search->code);
print $group_search->entry(0)->dump;
my @members = $group_search->entry(0)->get_value('member;Range=0-*');
print $#members;
$ad_ldap->unbind;
-----Original Message-----
From: Megan Kielman [mailto:[EMAIL PROTECTED]
Sent: Monday, December 11, 2006 9:58 PM
To: Don C. Miller
Cc: Perl-LDAP Mailing List
Subject: Re: Net::LDAP search - active directory not returning member
list for large group
Don,
Thanks for the response.
First of all you mentioned that if you don't specify a range and the
group contains more then 1000 users, $entry->get_value("member") will
return 'member;Range=0-999', however, in my case it doesn't appear to
return anything becuase when I loop through the @members, it is empty.
I tried using ('member;Range=0-*') and I still got nothing.
I played around with the Range and specified an upper limit like 0-100
and 100 of the users were returned. This method will work for this
script because I am simply trying to determine if a group is empty,
however, I may want the ability to return all members of a group,
regardless of how many members there are.
Thanks!
On 12/11/06, Don C. Miller <[EMAIL PROTECTED]> wrote:
> Megan, I hope everything is going well for you. The trick for getting
> this to work is to request the attribute 'member;Range=0-*' and then
> get_value('member;Range=0-*'). This should work on a group any size
> although I haven't tested on enormous groups. The 'Range' is case
> sensitive when requesting the attr but not on get_value. By default
> if the group has more than 1000 users, and you don't specify a range,
> it will return 'member;Range=0-999'.
>
> You can play with the range...but here is one thing to keep in mind.
> If you use a value greater than the number of members it will return
> the value as Range=0-*. For instance, if I have a group with 1025
> members here are the attributes I will get back:
> 'member' returns 'member;Range=0-999'
> 'member;Range=0-500' returns 'member;Range=0-500'
> 'member;Range=0-1500' returns 'member;Range=0-*' (1500 is greater than
> the 1025 members) 'member;Range=0-*' returns 'member;Range=0-*'
>
> Keep in mind you can use the dump method to output a quick "raw" view
> of everything in the entry object.
>
> Don
>
> -----Original Message-----
> From: Graham Barr [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 11, 2006 4:51 PM
> To: [EMAIL PROTECTED]
> Cc: Perl-LDAP Mailing List
> Subject: Fwd: Net::LDAP search
>
> Begin forwarded message:
> > From: "Megan Kielman" <[EMAIL PROTECTED]>
> > Date: December 11, 2006 5:41:02 PM CST
> > Subject: Net::LDAP search
> > Message-Id:
> > <[EMAIL PROTECTED]>
> >
> > Graham,
> >
> > I hope it is ok that I am emailing you. Anyway, I am searching for
> > groups in AD and writing the contents of the "member" attribute to a
> > file. I have found there are cases when some groups are not
> > returning the members, but when I look in AD, the group does in fact
> > have members.
> >
> > One thing that is common amongst these groups is that when viewing
> > them via ADUC, the members all have gray hair which according to MS
> > means that the group contains more then 500 members.
> >
> > here is a sample of my code:
> >
> > my $ldap = Net::LDAPS->new($addr) or die "$@"; my $login =
> > $ldap->bind($user, password=> $pass); my @srcargs1 = (
> > base => $path,
> > scope => "sub",
> > filter => "(sAMAccountName=
> > $group)",
> > attrs => ['member', 'name',
> > 'description', 'managedBy', 'createTimeStamp', 'modifyTimeStamp'],
> > control => [ $page ],
> > );
> > $search = $ldap->search(@srcargs1);
> > foreach $entry ($search->entries) {
> > @members =
$entry->get_value("member");
> > unless (scalar(@members)) {
> > &getempty($entry);
> > $count++;
> > }else{
> > print "$group is not
empty\n";
> > }
> > }
> >
>
>
>
